QualityNet Jira will be unavailable on Tuesday, September 03, 2024, between 8:00 PM ET and 11:00 PM ET while the team performs a system upgrade. QualityNet Confluence will also be briefly unavailable between 8:00 PM ET and 8:30 PM ET.  If you have questions or concerns, please reach out to us in Slack at #help-atlassian.

QualityNet Security

Versions Compared

Old Version 120

changes.mady.by.user Terrance Bethea

Saved on

compared with

New Version 121

changes.mady.by.user Terrance Bethea

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Anchortoptop

Image Removed

Section
Section


Column
width2



Column
width5

Security Policy


Column
width5

Awareness & Training


Column
width5

Security Point Of Contact


Column
width5

Incident Response



Anchor
top
top

Image Added



Section


Column
width2



Column
width5

Required Training



Column
width5

User Instructions


Column
width5

SPOC Certifications/Attestation


Column
width5

Record Keeping for SPOCs





Section


Column
width4



Column
width8065

Introduction

During onboarding, and before access to any HCQIS system or application, each user must sign Rules of Behavior, complete the appropriate training, and provide evidence of training completion to their Security Point of Contact (SPOC); the SPOC will track all required training within their organization. In many cases, an annual attestation is also provided to the organization’s CMS Contracting Officer’s Representative (COR) as a deliverable.  

If you have questions about policy or need more information regarding contract requirements, please contact your CORPlease view information on the following topics below: Training, Local SPOC/SO SAT Certification/Attestation,  SAT Record Keeping and Maintenance for SPOCs , and Previous HCQIS Contractors vs New Users .



Column
width4







HTML
<hr style="border: 1px dashed #1e3d59;" />



Background Color
color#e1e3e6#ele3e6


Section



Column
width4




Section


Column
width4



Column
anchor
width
Training
80

Image Added Required Training(s)


Image Removedcolumn
Column
width4


Anchor

width

Training

80

Training



Image RemovedImage RemovedImage Removedsection
Section


Column
width410



Column
width7580


Security Awareness Training (SAT)The HCQIS program

During onboarding and before access to any HCQIS system or application each user must complete proper training requirements on an annual basis and must provide evidence of completion to his/her respective Security Point of Contact (SPOC) who will track all required training within the organization.

Note: In most cases, an annual attestation is also provided to the CMS COR as a deliverable. Contact your COR for specific contract deliverables and dates.

Security Awareness Training

The HCQIS system )

utilizes the DoD Cyber Exchange

(h ttps://public.cyber.mil/cyber-training/

, a publicly accessible training library with course offerings to allow

Contractors

contractors to meet the CMS SAT requirements. SAT Training is broken into two (2) separate trainings focusing on Security and Privacy. These trainings include

the C 

:

  • Cyber

yber

  • Awareness Challenge

 

  • and

 

  • Identifying

and

  • Safeguarding

Personable

  • Personal Identifiable Information (PII)

Privacy Training

  • .


Records Management

The Department of Health and Human Services (HHS) Records Management training TrainingAdditional to Security Awareness training, the HHS Records Management Training is a mandatory training requirement and is outlined in   the HHS Policy for Records Management  and the Office of Management and Budget (OMB) and /National Archives and Records Administration (NARA) joint Directive   M-19-21, Transition to Electronic RecordsThe purpose of this records management training is to provide an overview of employee user responsibilities for records managementhandling, help employees users tell the difference between records and non-records, and assist employees in them in learning how to manage the federal records lifecycle.  

Note: HHS The HHS Office of Human Capital manages Records Management records management training and requirements for CMS. Therefore, separate or updated instructions may be sent issued by HHS which to include updates to new training linksrequirements, requirements or content and should be used as underlining guidance outside of these instructionscontent or links. Please check with your COR on for any changes to these requirements.

Below are the links to the websites where the three required trainings are hosted. DoD provides the links for the security trainings and are subject to change at any time. If a link is broken, you may also do a web search for the name of the training and use the appropriate search result since they are publicly available.

Column
width4
Section
Column
width10
Column
width20
Column
width20
Column
width20
Column
width10
Section
Column
width4
Column
width85

User Instructions

  • Complete the online trainings as defined by the deliverable, contract onboarding period or other timeframe identified by the program/contract.
  • Enter your name in the Certification of Completion’s online display, which is provided at the successful conclusion of the training.
    1. Note: Screen captures Training certificate are acceptable if no printable certificate exists or if any errors occur while printing.
    • Take a screen capture (shot) or save a copy of the certificate locally then provide a copy of your completed certification to your organization’s assigned Security Point of Contact (SPOC) who will maintain a copy for record retention

    the information provided by HHS.


    Back to Top




    Column
    width4
    10










    HTML
    <hr style="border: 1px dashed #1e3d59;" />


    Section



    Column
    width4


    Anchor
    Local
    Local

    Column


    Column
    width55




    Section


    Column
    width10



    Column


    The SPOC should adhere to the following guidelines related to certification and attestation of training results:

    1. Only one memo is required for all sites under each prime contract region/area/site.
    2. The Certification Memo must be signed by the SPOC (or in the SPOC’s absence, the Security Officer (SO)) and the organization’s designated Program Lead.
    3. You may apply a naming convention that best suits your organization, Contract or deliverable, but that is easy to understand by other readers.
    4. Submit the completed certification memo electronically to you’re COR using the specified vehicle outlined in the contract as directed by the CMS COR.


    Organizational SPOCs may leverage the provided template to fulfill the requirement. 

    QNet Security Awareness Certification Template.docx



    Back to Top


    Column
    width4




    Section





    HTML
    <hr style="border: 1px dashed #1e3d59;" />



    Background Color
    color#e1e3e6



    Section



    Section


    Column
    width4


    Anchor
    record
    record

    Column


    Column
    width55




    Section


    Column
    width10



    Column


    Records must be updated and maintained at all times, but they are only to be submitted to CMS if requested by the COR or the Information Systems Security Officer (ISSO). Record templates are available within the Security page on the QualityNet Communications Hub or may be obtained through your CMS COR.

    Contracts operating across multiple sites (prime/sub) may exercise the option of having multiple records or a single record that reflects all individual sites and each user respectively.

    At the top of each page insert the Contract name and specify the site if applicable. For multiple sites in a single area, you may use a different table that identifies each State/region for each site.


    Organizational SPOCs may leverage the provided template to fulfill the requirement. 

    Security Awareness Training Record template.docx



    Back to Top


    Column
    width4




    Section





    HTML
    <hr style="border: 1px dashed #1e3d59;" />





    Section




    Column
    width4


    Anchor
    contractor
    contractor

    Column


    Column
    width55




    Section


    Column
    width10



    Column

    New users on a contract take training at the time of receiving initial access and annually thereafter. Some contracts and organizations require all users to complete training by a specific time each year. With this, there may be times where an user has transferred from another contract or has recently started and would NOT have to re-take the training again.  Therefore, if a user has started or transferred and has taken all required trainings within the last 90 days, that user may be except from taking any training again until the following calendar year or deliverable period; whichever schedule is followed.


    Back to Top


    Column
    width4




    Section





    HTML
    <hr style="border: 1px dashed #1e3d59;" />